Proofpoint discovered one of the earliest campaigns in this cluster on October 2, 2023. The utilization of multiple traffic delivery systems (TDS), including 404 TDS and Keitaro TDS, made it noteworthy. Furthermore, the.URL files were used to take advantage of Windows SmartScreen vulnerability CVE-2023-36025. The actor’s attack chain saw changes or variations in other portions.All of the campaigns involved URL files.
The campaign’s emails included 404 TDS URLs, which led users to Keitaro TDS when they clicked on them. It was noticed that Keitaro TDS was providing a.URL file for an internet shortcut. Double clicking the internet shortcut resulted in the download of a compressed VBS script. Afterward, the VBS downloaded and ran many shell commands (cmd.exe).